From 4a40e2a5f2009cf282dd783e73e1fb860ac758ba Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Tue, 15 Dec 2020 19:05:54 +0000
Subject: Refactor archivers (#3820)

* Create archiver-common.inc

* add apparmor to archiver-common.inc

* refactor 7z.profile

* refactor ar.profile

* refactor atool.profile

* refactor bsdtar.profile

* refactor cpio.profile

* refactor gzip.profile

* refactor tar.profile

* refactor unrar.profile

* refactor unzip.profile

* refactor xzdec.profile

* refactor zstd.profile

* rewording

* blacklist ${RUNUSER} in archiver-common.inc

Thanks to @rusty-snake for suggesting this.

* drop non-sensical ${RUNUSER}/wayland-* blacklisting in archiver-common.inc

See discussion in https://github.com/netblue30/firejail/pull/3820#discussion_r543523343
---
 etc/inc/archiver-common.inc | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 etc/inc/archiver-common.inc

(limited to 'etc/inc/archiver-common.inc')

diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
new file mode 100644
index 000000000..2c5e4d8bf
--- /dev/null
+++ b/etc/inc/archiver-common.inc
@@ -0,0 +1,44 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
-- 
cgit v1.2.3-70-g09d2